Microsoft has removed 18 Edge browser extensions from the Edge Add-ons portal after the extensions were caught injecting ads into users’ web search results pages.
The extensions were removed between November 20 and November 25 after Microsoft received multiple complaints from users via Reddit [1, 2, 3].
A subsequent investigation found multiple abusive extensions that had been uploaded on Microsoft’s new fledgling Edge Add-ons portal.
According to a list shared by a Microsoft community manager, the 18 extensions can be grouped into two categories. The first one is for extensions that tried to pass as the official versions of various apps, even if those apps didn’t have official versions for Edge. This included:
- NordVPN
- Adguard VPN
- TunnelBear VPN
- Ublock Adblock Plus
- Greasemonkey
- Wayback Machine
The second list contained extensions that were copied from authentic Chrome extensions, ported to Edge, and then had malicious code inserted. This included:
- The Great Suspender
- Floating Player – Picture-in-Picture Mode
- Go Back With Backspace
- friGate CDN – smooth access to websites
- Full Page Screenshot
- One Click URL Shortener
- Guru Cleaner – cache and history cleaner
- Grammar and Spelling Checker
- Enable Right Click
- FNAF
- Night Shift Redux
- Old Layout for Facebook
“If you were using any of these extensions installed directly from the Microsoft Edge Addon store, we suggest removing them from edge://extensions,” Microsoft said last month.
The findings highlight that even with a small userbase, Edge has already piqued the interest of cybercrime groups that have been flooding the Chrome and Firefox extension stores with malicious add-ons for the past decade.
As the browser continues to see its usage numbers grow, these types of incidents are expected to become more common, as malware authors usually go where the users are.